; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's
; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok
; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting
; this to 1 will cause PHP CGI to fix it's paths to conform to the spec. A setting
; of zero causes PHP to behave as before. Default is 1. You should fix your scripts
; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.
cgi.fix_pathinfo=1

如果开启了这个选项, 那么就会触发在PHP中的如下逻辑:

/*
* if the file doesn't exist, try to extract PATH_INFO out
* of it by stat'ing back through the '/'
* this fixes url's like /info.php/test
*/
if (script_path_translated &&
(script_path_translated_len = strlen(script_path_translated)) > 0 &&
(script_path_translated[script_path_translated_len-1] == '/' ||
....//以下省略.

Hi! I knhow this is kinda off topic but I was wondering which blog platform are you using for this site?

I’m getting tired of WordPress because I’ve had problems with hackers and I’m looking at alternatives for another platform.
I would be fantastic if you could point me in the direction of a good platform.

I almost never drop remarks, but i did some searching and wound up here Nginx +
PHP CGI的一个可能的安全漏洞 | 风雪之隅.

And I do have some questions for you if you tend not to mind.

Is it just me or does it look as if like a few of these comments come across like they
are written by brain dead visitors? 😛 And,
if you are posting on other online social sites, I would like to follow everything fresh you have to
post. Could you make a list of all of all your shared
pages like your Facebook page, twitter feed, or linkedin profile?

Woah! I’m really enjoying the template/theme of this website. It’s
simple, yet effective. A lot of times it’s challenging to get that “perfect balance” between user friendliness and visual appearance. I must say that you’ve done a awesome
job with this. Additionally, the blog loads very
quick for me on Chrome. Outstanding Blog!

[…] I read it correctly, the cgi.fix_pathinfo security issue was brought into discussion by laruence in late May 2010 that with SCRIPT_FILENAME set by greedy regexp capturing, PHP web application is […]

[…] [1]http://hi.baidu.com/yuange1975/blog/item/4c223031a6727eaf5edf0e46.html [2]http://www.laruence.com/2010/05/20/1495.html This was written by admin. Posted on Friday, May 21, 2010, at 12:51 pm. Filed under Exploit. […]